US9032478B2 - Managing security in a network - Google Patents

Abstract

A method of managing security in a network is described. A data anomaly at a first location on a network is detected. A source of this data anomaly is identified. The source is compared with a plurality of access control policies, wherein each of the plurality of access control policies comprises at least one access restriction instruction associated with one or more sources. Based on the comparing, the source is associated with a corresponding one of the plurality of access control policies.

Description

FIELD

The field of the present invention relates to computing systems. More particularly, embodiments of the present invention relate to network security management.

BACKGROUND

Technological advances have led to the use of increasingly larger and complex networks with an ever increasing number of network systems as an integral part of organizational operations. Many network systems routinely receive, process and/or store data of a sensitive and/or confidential nature. Users are often provided with access to a network via external network access points to retrieve and/or exchange data with network systems within the network. The increased use of such external network access points has in many cases rendered networks increasingly vulnerable to attacks by malicious users.

Attacks on networks are growing in frequency and sophistication. The sensitive nature of data that is routinely stored in such networks often attracts malicious users or hackers that seek to gain access to the sensitive data and/or confidential data. In some cases, malicious users seek access to networks and network systems with the intention of corrupting the network and/or network systems. Examples of mechanisms that are often used by malicious users to inflict damage on a network include, but are not limited to, viruses, worms, spiders, crawlers and Trojans.

The increasing frequency of attacks on networks has often led to an increase on the demands made on network administrators to detect, assess, and respond to detected network data anomalies in a timely manner.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments of the present technology for a system for managing security in a network and, together with the description, serve to explain principles discussed below:

FIG. 1 is a block diagram of an example network in which a network security system may be implemented, in accordance with embodiments of the present technology.

FIG. 2 is a block diagram of an example network security system, in accordance with embodiments of the present technology.

FIG. 3 is a flowchart of an example computer-implemented method of managing security in a network, in accordance with embodiments of the present technology.

FIG. 4 is a diagram of an example computer system used for managing security in a network, in accordance with embodiments of the present technology.

FIG. 5 is a flowchart of an example method of managing security in a network, in accordance with embodiments of the present technology.

The drawings referred to in this description should not be understood as being drawn to scale unless specifically noted.

Description of Embodiments

Reference will now be made in detail to embodiments of the present technology, examples of which are illustrated in the accompanying drawings. While the present technology will be described in conjunction with various embodiment(s), it will be understood that they are not intended to limit the present technology to these embodiments. On the contrary, the present technology is intended to cover alternatives, modifications and equivalents, which may be included within the spirit and scope of the various embodiments as defined by the appended claims.

Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of embodiment of the present technology. However, embodiments of the present technology may be practiced without these specific details. In other instances, well known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the present embodiments.

Unless specifically stated otherwise as apparent from the following discussions, it is appreciated that throughout the present detailed description, discussions utilizing terms such as “detecting”, “identifying”, “comparing”, “associating”, “mapping”, “determining”, “enabling”, “replacing”, or the like, refer to the actions and processes of a computer system, or similar electronic computing device. The computer system or similar electronic computing device manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission, or display devices. Embodiments of the present technology are also well suited to the use of other computer systems such as, for example, optical and mechanical computers.

Overview of Discussion

Embodiments in accordance with the present technology pertain to a system for managing security in a network and its usage. In one embodiment in accordance with the present technology, the system described herein enables the prevention of disruptive network traffic, such as but not limited to, viruses, worms, spiders, crawlers, and Trojans. More particularly, the system detects disruptive network traffic at a first network location, identifies the source of the disruptive network traffic, and restricts the source's ability to circumvent the security system and re-enter the network at a second network location.

For example, a user logs into the local network via the user's desktop computer and a first port. However, unbeknownst to the user, a worm has infiltrated the desktop computer. As the user finishes downloading emails, the worm has already begun its work of creating network bandwidth issues, thereby disrupting local network traffic. In one instance, a network management system detects the intrusion of the worm and takes mitigation measures, such as denying the user access to the local network via the first port. In response to experiencing trouble accessing the local network via the first port, the user unplugs his desktop computer from the first port and plugs it into a second port. The user then attempts to log into the local network via the second port.

However, embodiments of the present technology provide that the user's access to the local network via the second port may also be restricted, based on the identification of the user's network address while using the first port as well as an access control policy associated with the user. For example, the worm was detected at user's desktop computer via port1 of the local network. The source of the worm was identified, a.k.a., the user's network address. Additionally, an access control policy may provide that the identified user network address associated with the data anomaly is to be denied access to the entire local network, regardless of which network port may be used. Thus, based on the user's network address and the related access control policy, the user is also denied access to the local network via the second port.

Therefore, embodiments of the present technology manage security in a network by applying automated preventative measures to avoid re-entry into a network at a location by a previously recognized disruptive source. In other words, embodiments of the present technology provide a method for preventing a user from circumventing mitigation measures responsive to network traffic disruptions traced to a first network location, such preventative measures including blocking the user from re-entering the network at a second network location.

Managing Security in a Network

FIG. 1 is a block diagram representation of an example of anetwork100 where one embodiment of managing security in anetwork100 may be implemented is shown. Theexample network100 generally includes first, second and thirdnetwork switch systems102,104,106, anetwork administrator system108, anetwork management system110, first, second andthird server systems112,114,116, and first, second, third and fourththreat assessment systems118,120,122,124. Anexternal system128, such as a laptop, is communicatively coupled withnetwork100.

First, second and thirdnetwork switch systems102,104,106 are communicatively coupled with each other and generally communicatively coupled withnetwork100. Each of first, second and thirdnetwork switch systems102,104,106, respectively, includes a plurality of data ports1,2,3,4,5,6. Communicative coupling is established between firstnetwork switch system102 and secondnetwork switch system104 via a communication channel between data port6 of firstnetwork switch system102 and data port2 of secondnetwork switch system104. Communicative coupling is established between secondnetwork switch system104 and thirdnetwork switch system106 via a communication channel between data port1 of secondnetwork switch system104 and data port6 of thirdnetwork switch system106.

In one embodiment, one or morenetwork switch systems102,104,106 includes one or more edge interconnect data ports. Data port1 of firstnetwork switch system102 is communicatively coupled withexternal system128 and is an example of an edge interconnect data port. In one embodiment, one or more network switch systems are configured as edge interconnect network switch systems where the data ports1,2,3,4,5,6 are all configured as edge interconnect data ports.

In one embodiment, one or morenetwork switch systems102,104,106 includes an embedded threat assessment system in the form of a switch based trap system. The switch based trap system is configured to detect one or more selected data anomalies and raises a data anomaly event upon detection of the one of the selected data anomalies. In one embodiment, the switch based trap system issues an anomaly notification tonetwork management system110 upon detection of one of the selected data anomalies. In one embodiment, the switch based trap system issues an anomaly notification tonetwork administrator system108 upon detection of one of the selected data anomalies. In one embodiment, the switch based trap system is a virus throttling (VT) system.

In one embodiment, one or more data ports,1,2,3,4,5,6 of one or more ofnetwork switch systems102,104,106 are configured as mirror source ports. In one embodiment, one or more data ports1,2,3,4,5,6 of one or morenetwork switch systems102,104,106 are configured as mirror destination ports. In one embodiment, one or more data ports1,2,3,4,5,6 of one or morenetwork switch systems102,104,106 are configured as local mirror source ports. In one embodiment, one or more data ports1,2,3,4,5,6 of one or morenetwork switch systems102,104,106 are configured as local mirror destination ports. In one embodiment, one or more data ports1,2,3,4,5,6 of one or morenetwork switch systems102,104,106 are configured as remote mirror source ports. In one embodiment, one or more data ports1,2,3,4,5,6 of one or morenetwork switch systems102,104,106 are configured as remote mirror destination ports.

While network switch systems having six data ports have been described, network switch systems used in a network may have a fewer or a greater number of data ports. For example, many network switch systems have well over 100 data ports. Also, while a number of different types of network switch systems having the described configurations and/or features have been described, the network switch systems may be configured using alternative network switch system configurations and/or features. Furthermore, while a network has been described as having three network switch systems, a fewer or greater number of network switch systems may be used.

Threat assessment systems118,120,122,124 generally monitor network data to identify data anomalies that may pose a security threat to network100 and evaluate any identified data anomalies. In one embodiment,threat assessment system118,120,122,124 implements mitigation actions in response to the detection of a data anomaly that may pose a potential security threat to network100. There are a number of different types ofthreat assessment systems118,120,122,124 available for use innetwork100. Examples of suchthreat assessment systems118,120,122,124, include but are not limited to, intrusion detection systems (IDS), intrusion prevention systems (IPS), unified threat management (UTM) systems and firewall systems (FW). In anexample network100, first and thirdthreat assessment systems118 and122, respectively, are intrusion detection systems (IDS), secondthreat assessment system120 is an intrusion prevention system (IPS), and fourththreat assessment system124 is a unified threat management (UTM) system.

First and secondthreat assessment systems118 and120, respectively, are communicatively coupled withnetwork100 via firstnetwork switch system102 and third and fourththreat assessment systems122 and124, respectively, are communicatively coupled tonetwork100 via second and thirdnetwork switch systems104 and106, respectively. More specifically, firstthreat assessment system118 is communicatively coupled withnetwork100 via a communication channel between firstthreat assessment system118 and data port2 of firstnetwork switch system102. Secondthreat assessment system120 is communicatively coupled withnetwork100 via a communication channel between secondthreat assessment system120 and data port5 of firstnetwork switch system102. Thirdthreat assessment system122 is communicatively coupled withnetwork100 via a communication channel between thirdthreat assessment system122 and data port6 of secondnetwork switch system104. Fourththreat assessment system124 is communicatively coupled withnetwork100 via a communication channel between fourththreat assessment system124 and data port5 of thirdnetwork switch system106.

In one embodiment, one or morethreat assessment systems118,120,122,124 issues an anomaly event notification to networkadministrator system108 upon the detection of selected data anomalies. In one embodiment, one or morethreat assessment systems118,120,122,124 issues an evaluation notification to networkadministrator system108 upon completion of an evaluation of a detected data anomaly. In one embodiment, one or morethreat assessment systems118,120,122,124 issues an anomaly event notification tonetwork management system110 upon the detection of a data anomaly. In one embodiment, one or morethreat assessment systems118,120,122,124 issues an evaluation notification tonetwork management system110 upon completion of an evaluation of a detected data anomaly.

While a number of different types of threat assessment systems have been described, other types of threat assessment systems may be used. Also, while a network has been described as having four threat assessment systems, a fewer or greater number of threat assessment systems may be used. Furthermore, while a particular network configuration has been described for the threat assessment systems, alternative network configurations may be employed.

In one embodiment, upon the detection of selected data anomalies bynetwork management system110,network management system110 issues a data anomaly assessment request to a selectedthreat assessment system118,120,122,124 to provide an assessment of the detected data anomaly. In one embodiment, upon the detection of selected data anomalies bynetwork management system110,network management system110 issues a data mirroring command to a selected network system to mirror network data associated with the detected data anomaly to a selectedthreat assessment system118,120,122,124. In one embodiment, upon the detection of selected data anomalies bynetwork management system110,network management system110 identifies the threat type posed by the detected network data anomaly, identifies athreat assessment system118,120,122,124 that specializes in the evaluation of an identified threat type and issues a data mirroring command to a selected network system to mirror network data associated with the data anomaly to the identifiedthreat assessment system118,120,122,124.

Network management system110 generally manages network operations including network security operations. In one embodiment,network management system110 includes a network immunity management system where the network immunity management system generally manages network security operations. In one embodiment,network management system110 is a network immunity management (NIM) system type of network management system that generally manages network security operations. Additional types of network management systems are used to manage other types of network operations. In one embodiment,network management system110 includes an embedded threat assessment system. In one embodiment, the embedded threat assessment system is a network behavior anomaly detection (NBAD) system.Network management system110 is communicatively coupled withnetwork100 viasecond network switch104. More specifically,network management system110 is communicatively coupled withnetwork100 via a communication channel betweennetwork management system110 and data port5 of secondnetwork switch system104.Network management system110 will be described in greater detail with reference toFIG. 2 below.

Network administrator130 generally manages network operations including network security operations vianetwork administrator system108.Network administrator system108 is communicatively coupled withnetwork100 viathird network switch106. More specifically,network administrator system108 is communicatively coupled withnetwork100 via a communication channel betweennetwork administrator system108 and data port1 of thirdnetwork switch system106.

In one embodiment,network administrator130 is provided with the option of manually defining and/or amending security policies vianetwork administrator system108. In one embodiment, anomaly notifications are received atnetwork administrator system108. In one embodiment,network administrator130 is provided with the option of selectively manually enforcing selected security polices vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of selectively manually implementing one or more mitigation responses to selected data anomalies vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of configuring selected network systems vianetwork administrator system108.

In one embodiment,network administrator130 is provided with the option of configuring individualnetwork switch systems102,104,106 vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of configuring individual data ports1,2,3,4,5,6 of individualnetwork switch systems102,104,106 vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of configuring individual data ports1,2,3,4,5,6 as mirror source data ports and as mirror destination data ports vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of configuring individual data ports1,2,3,4,5,6 as local mirror source data ports and as local mirror destination data ports vianetwork administrator system108. In one embodiment,network administrator130 is provided with the option of configuring individual data ports1,2,3,4,5,6, as remote mirror source data ports and as remote mirror destination data ports vianetwork administrator system108. While a number of different network administrations functions that may be performed bynetwork administrator130 vianetwork administrator system108 have been described, other network administrations functions may also be performed bynetwork administrator130 vianetwork administrator system108.

First server system112 is communicatively coupled withnetwork100 viathird network switch106 and second andthird server systems114 and116, respectively, are communicatively coupled withnetwork100 viasecond network switch104. More specifically,first server system112 is communicatively coupled withnetwork100 via a communication channel betweenfirst server system112 and data port3 of thirdnetwork switch system106. Second server system114 is communicatively coupled withnetwork100 via a communication channel between second server system114 and data port3 of secondnetwork switch system104.Third server system116 is communicatively coupled withnetwork100 via a communication channel betweenthird server system116 and data port4 of secondnetwork switch system104. In theexample network100,first server system112 handles data requiring a relatively low level of network security while second andthird server systems114 and116, respectively, handle relatively sensitive financial data and require a relatively higher level of network security. While one network configuration including specific types of server systems configured within the network in a particular manner have been described, other types of server systems may be used in a network. Also, while one network configuration of server systems has been described alternative network configurations may be used. Furthermore, while three servers have been described as a part of the network, a fewer or greater number of servers may be used.

Auser126 has usedexternal system128, such as a laptop, to establish communicative coupling withnetwork100.External system128 has established communicative coupling withnetwork100 via a communication channel established betweenexternal system128 and data port1 of firstnetwork switch system102. Data port1 is an edge interconnect data port. A user as used in the description includes human users as well as automated agents. One example of such an automated agent is a bot.

In one embodiment, communication channels established between network systems withinnetwork100 are wireless communication channels. In one embodiment, communication channels established between network systems withinnetwork100 are wired communication channels. In one embodiment, communication channels established between network systems withinnetwork100 are a combination of wireless communication channels and wired communication channels.

In one embodiment, communication channels established betweenexternal system128 andnetwork100 are via wireless communication channels. In one embodiment, communication channels established betweenexternal system128 andnetwork100 are via wired communication channels. In one embodiment, communication channels established betweenexternal system128 andnetwork100 are via a combination of wireless communication channels and wired communication channels.

While one particular configuration ofnetwork100 where one embodiment of managing security innetwork100 may be implemented has been described, embodiments of managing security in a network may be implemented in networks having alternative configurations. Furthermore, embodiments of managing security in a network may be implemented in networks including a fewer or greater number of types of network systems and including a fewer or greater number of the described network systems.

Example Architecture of Network Security System

FIG. 2 is a block diagram of an example network security system (NSS)111, in accordance with embodiments of the present technology.NSS111 is coupled with, wired and/or wirelessly,network management system110 andnetwork100.NSS112 includesanomaly detection module200,source identifier210,data store220,source comparator230, and accesscontrol policy associator240. Embodiments of the present technology may further includemapping module245 andsource authenticator255.

In one embodiment,anomaly detection module200 is coupled with, wired and/or wirelessly, the threat assessment system embedded within one or morenetwork switch systems102,104, and106 described herein.

FIG. 2 showsnetwork100 comprisingsource215 anddata anomaly205.Source215 refers to the origination of a detecteddata anomaly205. For example,source215 is a mechanism used to access a network, and may include a computer only or a computer and its operator.Source205 comprisesnetwork address250.Network address250 is recognizable byNSS111, and may be used to locate the access control policy that applies to source215, as will be described herein.

In one embodiment,data store220 stores comprises a plurality ofaccess control policies225a,225b,225c,225d,225e, and225f(225a-225f).Data store220 may be internal to or external toNSS112. In one embodiment,data store220 is coupled with but external to network100 described herein.

While a plurality of access control policies,225a-225f, is shown inFIG. 2, for purposes of brevity and clarity, only one access control policy,225a, will be discussed herein. Furthermore, while a limited number of access control policies,225a-225f, are shown inFIG. 2, it is understood that there may be as many access control policies indata store220 thatdata store220 is capable of storing. It is also understood that the description ofaccess control policy225awill be representative of all access control policies.

Access control policy225acomprises at least oneaccess restriction instruction235aassociated withsource205. While only oneaccess restriction instruction235ais described herein, it is understood thataccess control policy225amay contain more than on access restriction instruction.Access restriction instruction235aincludes a description regarding instructions limiting a source's access to a certain location within a network.

In one embodiment,access restriction instruction235amay be a network location restriction forsource215. For example,access restriction instruction235amay indicate thatsource215 is only permitted access to ports5 and6 of the ports1,2,3,4,5, and6. In another embodiment,access restriction instruction235amay be a network bandwidth restriction. For example,access restriction instruction235amay indicate thatsource215 is only permitted to use a pre-specified amount of bandwidth at all ports1,2,3,4,5, and6 onnetwork100. In one embodiment,access restriction instruction235amay be a duration restriction forsource215. For example,access restriction instruction235amay indicate thatsource215 is only permitted access tonetwork100 via port1 for two minutes a day.

As will be described herein, embodiments of the present technology provide a mechanism for detecting anomalous or harmful behavior by users and/or machines and to temporarily or permanently restrict future access rights to the network in order to prevent continued harmful behavior.

Example Operation of Network Security System

More generally, in embodiments in accordance with the present technology,NSS111 is utilized to recognize the source of a network attack at a first location and restrict this source's access to the network at another network location. Such a method of managing access to a network is particularly useful in preventing a user responsible for disruptive network traffic from re-entering the network at a second location and causing more disruption.

Referring still toFIG. 2,anomaly detection module200 is configured to detectdata anomaly205 at a first location onnetwork100. First location onnetwork100 may be any location withinnetwork100 that a data anomaly may be detected, such as but not limited to, ports1,2,3,4,5, and/or6.

In one embodiment,source identifier210 is configured to identify asource215 ofdata anomaly205. In one embodiment,mapping module245 is configured to mapsource215 to an associated network address via technology known in the field.

In one embodiment, source authenticator255 is configured to determine a role associated withsource215. In one embodiment, the term, “role”, refers to source215's pre-defined function withinnetwork100, which function corresponds to asource215's level of access permitted to various locations withinnetwork100. For example, source authenticator255 recognizessource215 via source's215network address250, and determines source's pre-defined role withinnetwork100. This role may be that of a “manager”. A manager in the corporation may typically be permitted a high level of access at various locations within the network.

In one embodiment,source comparator230 comparessource215 with plurality of access control policies225a-225f, wherein each of plurality of access control policies225a-225fcomprises at least oneaccess restriction instruction235a-235fassociated with one or mores sources, such assource215.

In one embodiment, accesscontrol policy associator240 is configured for associatingsource215 with a corresponding one of the plurality of access control policies225a-225fbased onsource comparator230's comparison described herein. An access control policy that is “corresponding” withsource215 may be one that referencessource215's pre-defined “role” and/or source's network address. Associatingsource215 with the correspondingaccess control policy225amay entail communicating this correspondingaccess control policy225atonetwork100 and an administrator therein. Additionally,access control policy225amay become temporarily associated withsource215 or permanently associated withsource215.

In one embodiment,network100 may be programmed to automatically replace the current access controlpolicy regarding source215 with theaccess control policy225a. In another embodiment,network100 and/or any administrator thereof may receiveaccess control policy225afor examination before determining whether or not to implement it.

Referring now to300 ofFIG. 3, a flowchart of an example computer-implemented method of managing security innetwork100, in accordance with embodiments of the present technology is shown.

Referring to305 ofFIG. 3 and as described herein, in one embodiment of the present technology,data anomaly205 is detected at a first location onnetwork100. Referring now to310 ofFIG. 3 and as described herein, in oneembodiment source205 ofdata anomaly205 is identified.

Referring to315 ofFIG. 3 and as described herein, in one embodiment,source205 is compared with a plurality of access control policies225a-225f, wherein each of plurality of access control policies225a-225fcomprises at least oneaccess restriction instruction235a-235fassociated with one or more sources, such as but not limited to,source205. Referring now to320 ofFIG. 3 and as described herein, in one embodiment, based on the comparing of315 ofFIG. 3,source205 is associated with a corresponding one of plurality of access control policies225a-225f.

Example Computer System Environment

FIG. 4 illustrates anexample computer system400 used in accordance with embodiments of the present technology. It is appreciated thatsystem400 ofFIG. 4 is an example only and that embodiments of the present technology can operate on or within a number of different computer systems including general purpose networked computer systems, embedded computer systems, routers, switches, server devices, user devices, various intermediate devices/artifacts, stand alone computer systems, and the like. As shown inFIG. 4,computer system400 ofFIG. 4 is well adapted to having peripheral computer readable media402 such as, for example, a compact disc, and the like coupled therewith.

System400 ofFIG. 4 includes an address/data bus404 for communicating information, and aprocessor406A coupled to bus404 for processing information and instructions. As depicted inFIG. 4,system400 is also well suited to a multi-processor environment in which a plurality ofprocessors406A,4068, and406C are present. Conversely,system400 is also well suited to having a single processor such as, for example,processor406A.Processors406A,406B, and406C may be any of various types of microprocessors.System400 also includes data storage features such as a computer usable volatile memory408, e.g. random access memory (RAM), coupled to bus404 for storing information and instructions forprocessors406A,406B, and406C.

System400 also includes computer usablenon-volatile memory410, e.g. read only memory (ROM), coupled to bus404 for storing static information and instructions forprocessors406A,406B, and406C. Also present insystem400 is a data storage unit412 (e.g., a magnetic or optical disk and disk drive) coupled to bus404 for storing information and instructions.System400 also includes an optional alpha-numeric input device614 including alphanumeric and function keys coupled to bus404 for communicating information and command selections toprocessor406A orprocessors406A,406B, and406C.System400 also includes an optionalcursor control device416 coupled to bus404 for communicating user input information and command selections toprocessor406A orprocessors406A,406B, and406C.System400 also includes anoptional display device418 coupled to bus404 for displaying information.

Referring still toFIG. 4,optional display device418 ofFIG. 4 may be a liquid crystal device, cathode ray tube, plasma display device or other display device suitable for creating graphic images and alpha-numeric characters recognizable to a user. Optionalcursor control device416 allows the computer user to dynamically signal the movement of a visible symbol (cursor) on a display screen ofdisplay device418. Many implementations ofcursor control device416 are known in the art including a trackball, mouse, touch pad, joystick or special keys on alpha-numeric input device414 capable of signaling movement of a given direction or manner of displacement. Alternatively, it will be appreciated that a cursor can be directed and/or activated via input from alpha-numeric input device414 using special keys and key sequence commands.

System400 is also well suited to having a cursor directed by other means such as, for example, voice commands.System400 also includes an I/O device420 forcoupling system400 with external entities.

Referring still toFIG. 4, various other components are depicted forsystem400. Specifically, when present, anoperating system422,applications424,modules426, anddata428 are shown as typically residing in one or some combination of computer usable volatile memory408, e.g. random access memory (RAM), anddata storage unit412. However, it is appreciated that in some embodiments,operating system422 may be stored in other locations such as on a network or on a flash drive; and that further,operating system422 may be accessed from a remote location via, for example, a coupling to the internet. In one embodiment, the present invention, for example, is stored as anapplication424 ormodule426 in memory locations within RAM408 and memory areas withindata storage unit412.

Computing system400 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the present technology. Neither should thecomputing environment400 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in theexample computing system400.

Embodiments of the present technology may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types. Embodiments of the present technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer-storage media including memory-storage devices.

FIG. 5 is a flowchart of an example method of managing security in a network, in accordance with embodiments of the present technology. In one embodiment,process500 is carried out by processors and electrical components under the control of computer readable and computer executable instructions. The computer readable and computer executable instructions reside, for example, in data storage features such as computer usable volatile and non-volatile memory. However, the computer readable and computer executable instructions may reside in any type of computer readable medium. In one embodiment,process500 is performed byNSS111 ofFIG. 2.

Referring to505 ofFIG. 5, in one embodiment,source215 of a detecteddata anomaly205 at a first location onnetwork100 is determined. In one embodiment, determining the source of detecteddata anomaly205 comprises detectingdata anomaly205 at a first location onnetwork100 and identifyingsource215 ofdata anomaly205.

In one embodiment, identifyingsource215 ofdata anomaly205 comprisesmapping source215 to an associatednetwork address250. In one embodiment, identifyingsource215 ofdata anomaly205 comprises determining a role-based authentication ofsource215.

Referring now to510 ofFIG. 5, in one embodiment and as described herein,source215 is compared with plurality of access control policies225a-225f, wherein each of plurality of access control policies225a-225fcomprises at least oneaccess restriction instruction235a-235fassociated with one or more sources, such as but not limited to,215.

Referring now to515 ofFIG. 5, in one embodiment and as described herein, based on the comparing described in510 ofFIG. 5,source215 is associated with a corresponding one of plurality of access control policies225a-225f. In one embodiment, a first access control policy is replaced with a second access control policy, such as225a, wherein the second access control policy is based on the determining ofsource215 described herein and in505 ofFIG. 5. First access control policy may be the original access control policy relating tosource215, or may be the most current access control policy relating tosource215. In other words, the second access control policy may override any previous access control policy in place.

Thus, embodiments of the present technology enable the prevention of continued harmful behavior on a network by providing a mechanism for detecting anomalous or harmful behavior by a user and/or a machine and restricting the user and/or the machine's future network access rights.

Although the subject matter has been described in a language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (14)

What is claimed is:

1. A computer implemented method of managing security in a network, said method comprising:

detecting a data anomaly at a first location on a network;

identifying a source of said data anomaly;

determining a role-based authentication of said source, wherein said determining said role-based authentication of said source comprises:

determining a role associated with said source, wherein said role is a pre-defined function within said network, wherein said function corresponds to a level of access permitted to said source to various locations within said network;

comparing said source with a plurality of access control policies, wherein each of said plurality of access control policies comprises at least one access restriction instruction associated with one or more sources;

based on said comparing, associating said source with a corresponding one of said plurality of control policies, wherein said corresponding one of said plurality of control policies references at least said role of said source;

based on said identifying said source, replacing said corresponding one of said plurality of control policies with a second access control policy wherein said second access control policy overrides said corresponding one of said plurality of control policies and other previous access control policies in place; and

enabling a prevention of re-entry of said source at a second location on said network based on a network address of said source and based on said role-based authentication of said source.

2. The method ofclaim 1, wherein said identifying a source of said data anomaly comprises:

mapping said source to an associated network address.

3. The method ofclaim 1, wherein said associating said source with a corresponding one of said plurality of control policies comprises:

enabling a duration restriction on said access.

4. The method ofclaim 1, wherein said associating said source with a corresponding one of said plurality of control policies comprises:

enabling a limiting of bandwidth usage by said source.

5. The method ofclaim 1, further comprising:

associating a temporary access control policy with said source.

6. The method ofclaim 1, further comprising:

associating a permanent access control policy with said source.

7. A non-transitory computer usable storage medium having computer readable program code embedded therein for a network security system, the program code comprising:

an anomaly detection module to detect a data anomaly at a first location on a network;

a source identifier to identify a source of said data anomaly;

a source authenticator to determine a role associated with said source, wherein said role is a pre-defined function within said network, wherein said function corresponds to a level of access permitted to said source to various locations within said network;

a data store to store a plurality of access control policies;

a source comparator to compare said source with said plurality of access control policies, wherein each of said plurality of access control policies comprises at least one access restriction instruction associated with one or more sources, and

an access control policy associator to associate said source with a corresponding one of said plurality of access control policies based on said comparing, wherein said corresponding one of said plurality of control policies references at least said role of said source, and to replace said corresponding one of said plurality of control policies with a second access control policy based on said indentifying said source wherein said second access control policy overrides said corresponding one of said plurality of control policies and other previous access control policies in place and to prevent re-entry of said source at a second location on said network based on a network address of said source and based on said role-based authentication of said source.

8. The program code ofclaim 7, further comprising:

a mapping module configured for mapping said source to an associated network address.

9. The program code ofclaim 7, wherein said access restriction instruction comprises a network location restriction for said source.

10. The program code ofclaim 7, wherein said access restriction instruction comprises a network bandwidth restriction for said source at said second location.

11. The program code ofclaim 7, wherein said access restriction instruction comprises a duration restriction for said source at said second location.

12. A computer usable storage medium comprising instructions that when executed cause a computer system to perform a method of managing security in a network, said method comprising:

determining a source of a detected data anomaly at a first location on a network;

determining a role-based authentication of said source, wherein said determining said role-based authentication of said source comprises:

determining a role associated with said source, wherein said role is a pre-defined function within said network, wherein said function corresponds to a level of access permitted to said source to various locations within said network;

comparing said source with a plurality of access control policies, wherein each of said plurality of access control policies comprises at least one access restriction instruction associated with one or more sources;

based on said comparing, associating said source with a corresponding one of said plurality of access control policies, wherein said corresponding one of said plurality of control policies references at least said role of said source;

based on said determining said source, replacing said corresponding one of said plurality of control policies with a second access control policy wherein said second access control policy overrides said corresponding one of said plurality of control policies and other previous access control policies in place; and

enabling a prevention of re-entry of said source at a second location on said network based on a network address of said source and based on said role-based authentication of said source.

13. The computer usable storage medium ofclaim 12, wherein in said method, said determining comprises:

detecting a data anomaly at a first location on a network; and

identifying a source of said data anomaly.

14. The computer usable storage medium ofclaim 13, wherein in said method, said identifying comprises:

mapping said source to an associated network address.

Images